Microsoft Patches Flaws But Still Works On IE Fix

In its first Patch Tuesday of the year, Microsoft has fixed three Windows bugs, one of which was rated critical

Microsoft has begun 2011 with a relatively light Patch Tuesday update that contains two security bulletins to fix three Windows vulnerabilities.

Only one of the bulletins is rated “critical.” That bulletin, MS11-002, covers two vulnerabilities affecting Microsoft Data Access Components.

The first of the bugs exists in the way MDAC (Microsoft Data Access Components) validates third-party API usage. The second is due to the way MDAC validates memory allocation.

Critical Fix

According to Microsoft, both vulnerabilities could be exploited via a specially crafted web page to allow an attacker to remotely execute code.

“The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server,” blogged Carlene Chmaj, senior security response communications manager for Trustworthy Computing at Microsoft. “It involves the Microsoft Data Access Components (MDAC). This has an Exploitability Index rating of 1, and because there is a web-based attack vector, this is at the top of our deployment priority list.”

The second bulletin, rated “important,” addresses a publicly disclosed vulnerability in Windows Backup Manager that could allow remote code execution if a user opens a legitimate Windows Backup Manager file located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the legitimate file from that location, which in turn could cause Windows Backup Manager to load the malicious library file, Microsoft warned.

“The vulnerability in the Backup Manager DLL that was also patched has exploit code publicly available, but we haven’t seen any attacks attempt to use it in the wild,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “Because an exploit would require a user to take some fairly uncommon steps – such as opening up a Windows backup or ‘.wbcat’ file from an SMB or WebDAV server – it’s less appealing as an attack vector than other vulnerabilities out there that require much less of the user.”

Patching Question Marks

Last week, some security researchers asked why Microsoft was not releasing patches for some of the other vulnerabilities that have been in the public eye of late, including an Internet Explorer bug the company warned about in December that is due to the creation of uninitialised memory during a CSS (Cascading Style Sheets) function within the browser. While the company did not issue a fix, Microsoft has added a workaround to help users deal with the bug.

“This month, we are revising Security Advisory 2488013 to include an additional workaround in the form of a FixIt package that uses the Windows Application Compatibility Toolkit to protect customers from this vulnerability, Chmaj wrote. “This workaround only applies to systems that have the MS10-090 update for Internet Explorer installed. The vulnerability discussed in the advisory occurs when an attacker creates a malicious CSS file that points to itself and provides it to Internet Explorer. This action corrupts memory and could be exploited.”

“Customers should be mindful that there are several zero-day vulnerabilities in the wild such as a flaw in the Graphics Rendering Engine (CVE-2010-3970)… and a bug found by Michal Zalewski in mshtml.dll,” noted Josh Abraham, security researcher at Rapid7. “The Graphics Rendering Engine vulnerability and CSS Import Rule Processing Use-After-Free vulnerability both have mitigations that Microsoft has provided. Customers should implement these mitigations until a patch has been released.”

Small and midmarket organizations depend on their data as much as large enterprises depend on theirs—but the right tools for protecting a smaller organization’s data are not enterprise tools with reduced feature sets and price tags. Organizations of all sizes need to understand their exposure caused by mediocre protection, and then utilize “right-sized” technologies that […]

Shifting SMB IT and Storage Requirements This report describes how the HP Simply StoreIT program and HP MSA Storage can help small and midsized businesses (SMBs) reduce costs and improve operations by quickly and easily adding storage that is optimized for server virtualization to their IT infrastructure deployments.

The network security paradigm is currently shifting toward a new reality as advanced hacking methods become more prevalent and harder to detect. An example of such a method is advanced evasion techniques (AETs). Although evasions have been documented extensively in the last 15 years, security vendors have systematically ignored the significance of evasions. Some vendors […]

The need for robust network security is growing, but IT security teams, resources, and budgets are shrinking at many organizations. That doesn’t mean you have to scale down your growth or skimp on key IT security areas, but it does mean you need to optimize your resources, starting with your network firewall team. Resource optimization […]